Set an MCP server API key
Stores an API key credential for an MCP server and installs/enables it in one call, for servers whose credential model is tenant_api_key only. The scope may be team (shared across the workspace, the default) or user (private to the caller); the chosen scope must be among the server’s allowed scopes, and user scope requires a resolvable calling user. The supplied key is securely sealed and, where the backend supports it, validated against the upstream before being saved; an invalid key is rejected. Idempotent: pasting a new key for an existing install rotates the credential in place. Returns the slug, enabled flag, the stored credential reference id, and the confirmed scope. Admin only; scoped to the caller’s own workspace.
Authorizations
Personal Access Token. Send as Authorization: Bearer hq_pat_....
Path Parameters
MCP server slug
Body
The bearer token the agent will use against the MCP backend.
Caller is responsible for choosing the right scoping (e.g.
Stripe restricted key rk_test_..., GitHub PAT, etc.). The
platform doesn't validate the token shape - only its presence.
"team" (default) - credential is shared across the workspace
and used for every caller. "user" - credential is private
to the caller; the resolver only uses it when this user is
the one making the call (otherwise falls through to the team
row if any). Server validates against
mcp_servers.allowed_scopes and rejects scopes the operator
hasn't permitted for this MCP.